forked from coop-cloud/mediawiki
First attempt at OpenID login
See https://git.autonomic.zone/compose-stacks/mediawiki/issues/14.
This commit is contained in:
parent
d75e15310c
commit
3ffc239373
@ -18,6 +18,7 @@ export MEDIAWIKI_SECRET_KEY_VERSION=v1
|
|||||||
export LOCAL_SETTINGS_CONF_VERSION=v1
|
export LOCAL_SETTINGS_CONF_VERSION=v1
|
||||||
export HTACCESS_CONF_VERSION=v1
|
export HTACCESS_CONF_VERSION=v1
|
||||||
export ENTRYPOINT_CONF_VERSION=v1
|
export ENTRYPOINT_CONF_VERSION=v1
|
||||||
|
export COMPOSER_LOCAL_CONF_VERSION=v1
|
||||||
|
|
||||||
# SAML
|
# SAML
|
||||||
|
|
||||||
@ -40,3 +41,11 @@ export ENTRYPOINT_CONF_VERSION=v1
|
|||||||
## SMTP
|
## SMTP
|
||||||
#export COMPOSE_FILE="compose.yml:compose.mailrelay.yml"
|
#export COMPOSE_FILE="compose.yml:compose.mailrelay.yml"
|
||||||
#export SMTP_HOST=postfix_relay_app
|
#export SMTP_HOST=postfix_relay_app
|
||||||
|
|
||||||
|
# OpenID Connect
|
||||||
|
|
||||||
|
# export OPENID_ENABLED=1
|
||||||
|
# export COMPOSE_FILE="compose.yml:compose.openid.yml"
|
||||||
|
# export OPENID_KEYCLOAK_URL="https://keycloak.local:8080/auth/realms/acme/"
|
||||||
|
# export OPENID_CLIENT_ID="mediawiki"
|
||||||
|
# export OPENID_CLIENT_SECRET_VERSION=v1
|
||||||
|
|||||||
@ -183,6 +183,16 @@ $wgGroupPermissions['*']['createaccount'] = false;
|
|||||||
$wgDebugLogFile = "/var/log/debug-{$wgDBname}.log";
|
$wgDebugLogFile = "/var/log/debug-{$wgDBname}.log";
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
||||||
|
{{ if eq (env "OPENID_ENABLED") "1" }}
|
||||||
|
wfLoadExtension( 'PluggableAuth' );
|
||||||
|
wfLoadExtension( 'OpenIDConnect' );
|
||||||
|
|
||||||
|
$wgOpenIDConnect_Config['{{ env "OPENID_KEYCLOAK_URL" }}'] = [
|
||||||
|
'clientID' => '{{ env "OPENID_CLIENT_ID"}}',
|
||||||
|
'clientsecret' => '{{ secret "openid-client-secret" }}'
|
||||||
|
];
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
{{ if env "SMTP_HOST" }}
|
{{ if env "SMTP_HOST" }}
|
||||||
$wgSMTP = [
|
$wgSMTP = [
|
||||||
'host' => '{{ env "SMTP_HOST" }}', // could also be an IP address. Where the SMTP server is located
|
'host' => '{{ env "SMTP_HOST" }}', // could also be an IP address. Where the SMTP server is located
|
||||||
|
|||||||
19
README.md
19
README.md
@ -10,18 +10,18 @@ Based on [`mediawiki-ve-bundle`][mediawiki-ve].
|
|||||||
|
|
||||||
1. Set up Docker Swarm and [`abra`][abra]
|
1. Set up Docker Swarm and [`abra`][abra]
|
||||||
2. Deploy [`compose-stacks/traefik`][compose-traefik]
|
2. Deploy [`compose-stacks/traefik`][compose-traefik]
|
||||||
2. `cp .envrc.sample .envrc`
|
3. `cp .envrc.sample .envrc`
|
||||||
3. Edit `.envrc` - be sure to change `$DOMAIN` to something that resolves to
|
4. Edit `.envrc` - be sure to change `$DOMAIN` to something that resolves to
|
||||||
your Docker swarm box
|
your Docker swarm box
|
||||||
4. `direnv allow` (or `. .envrc`)
|
5. `direnv allow` (or `. .envrc`)
|
||||||
5. Generate secrets:
|
6. Generate secrets:
|
||||||
```
|
```
|
||||||
abra secret_generate db_password v1
|
abra secret_generate db_password v1
|
||||||
abra secret_generate db_root_password v1
|
abra secret_generate db_root_password v1
|
||||||
abra secret_generate mediawiki_secret_key v1 "pwgen -n 64 1"
|
abra secret_generate mediawiki_secret_key v1 "pwgen -n 64 1"
|
||||||
```
|
```
|
||||||
6. `abra deploy`
|
7. `abra deploy`
|
||||||
7. Create an initial admin user:
|
8. Create an initial admin user:
|
||||||
`abra run app php /var/www/html/maintenance/createAndPromote.php YourUsername YourPassword`
|
`abra run app php /var/www/html/maintenance/createAndPromote.php YourUsername YourPassword`
|
||||||
|
|
||||||
## SimpleSAMLphp
|
## SimpleSAMLphp
|
||||||
@ -57,6 +57,12 @@ system. Patches to make this configurable are welcome!
|
|||||||
# 'sqlite:/var/simplesamlphp/data/simplesamlphp.sq3'
|
# 'sqlite:/var/simplesamlphp/data/simplesamlphp.sq3'
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## OpenID Connect
|
||||||
|
|
||||||
|
1. Edit `.envrc` and uncomment lines in the `OPENID` section (including `COMPOSE_FILE`)
|
||||||
|
1. `direnv allow`
|
||||||
|
1. Get your Keycloak generated client secret and `docker secret create` it as `openid_client_secret`
|
||||||
|
|
||||||
## License
|
## License
|
||||||
|
|
||||||
MIT License
|
MIT License
|
||||||
@ -65,7 +71,6 @@ MIT License
|
|||||||
[abra]: https://git.autonomic.zone/autonomic-cooperative/abra
|
[abra]: https://git.autonomic.zone/autonomic-cooperative/abra
|
||||||
[compose-traefik]: https://git.autonomic.zone/compose-stacks/traefik
|
[compose-traefik]: https://git.autonomic.zone/compose-stacks/traefik
|
||||||
[mediawiki-ve]: https://hub.docker.com/r/revianlabs/mediawiki-ve-bundle
|
[mediawiki-ve]: https://hub.docker.com/r/revianlabs/mediawiki-ve-bundle
|
||||||
|
|
||||||
[simplesamlphp]: https://simplesamlphp.org/
|
[simplesamlphp]: https://simplesamlphp.org/
|
||||||
[mw-simplesamlphp]: https://www.mediawiki.org/wiki/Extension:SimpleSAMLphp
|
[mw-simplesamlphp]: https://www.mediawiki.org/wiki/Extension:SimpleSAMLphp
|
||||||
[venatorfox-simplesamlphp]: https://hub.docker.com/r/venatorfox/simplesamlphp
|
[venatorfox-simplesamlphp]: https://hub.docker.com/r/venatorfox/simplesamlphp
|
||||||
|
|||||||
21
compose.openid.yml
Normal file
21
compose.openid.yml
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
---
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
environment:
|
||||||
|
- OPENID_KEYCLOAK_URL
|
||||||
|
- OPENID_CLIENT_ID
|
||||||
|
secrets:
|
||||||
|
- openid_client_secret
|
||||||
|
|
||||||
|
secrets:
|
||||||
|
openid_client_secret:
|
||||||
|
name: ${STACK_NAME}_openid_client_secret_${OPENID_CLIENT_SECRET_VERSION}
|
||||||
|
external: true
|
||||||
|
|
||||||
|
configs:
|
||||||
|
composer_local_conf:
|
||||||
|
name: ${STACK_NAME}_composer_local_${COMPOSER_LOCAL_CONF_VERSION}
|
||||||
|
file: composer.local.json.tmpl
|
||||||
|
template_driver: golang
|
||||||
9
composer.local.json
Normal file
9
composer.local.json
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
{
|
||||||
|
"extra": {
|
||||||
|
"merge-plugin": {
|
||||||
|
"include": [
|
||||||
|
"extensions/OpenIDConnect/composer.json"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@ -2,12 +2,24 @@
|
|||||||
|
|
||||||
set -eu -o pipefail
|
set -eu -o pipefail
|
||||||
|
|
||||||
init_php() {
|
init_composer() {
|
||||||
if ! type composer > /dev/null 2>&1; then
|
set -eu
|
||||||
apt update && apt install -y curl git
|
|
||||||
curl -sS https://getcomposer.org/installer -o /tmp/composer-setup.php
|
if [ -n "$OPENID_ENABLED" ]; then
|
||||||
php /tmp/composer-setup.php --install-dir=/usr/local/bin --filename=composer --version=1.10.15
|
if ! type composer > /dev/null 2>&1; then
|
||||||
composer -V
|
apt update && apt install -y curl git
|
||||||
|
curl -sS https://getcomposer.org/installer -o /tmp/composer-setup.php
|
||||||
|
php /tmp/composer-setup.php --install-dir=/usr/local/bin --filename=composer --version=1.10.15
|
||||||
|
composer -V
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
composer_update() {
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
if [ -n "$OPENID_ENABLED" ]; then
|
||||||
|
cd /var/www/html/ && composer update
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -60,7 +72,9 @@ main() {
|
|||||||
install_extensions
|
install_extensions
|
||||||
|
|
||||||
init_db
|
init_db
|
||||||
init_php
|
|
||||||
|
init_composer
|
||||||
|
composer_update
|
||||||
}
|
}
|
||||||
|
|
||||||
main
|
main
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user